HolyBugx

Don't rely on WAFs.

@rez0__ Lots of contradiction & speculation with little data. - "Hackbots find 1 % of vulns" → How was this measured? - 2 → 3 → 4 % isn't a law; one jump ≠ trend. - "Hackbot singularity this year" clashes with your "slow hand-off" Where are the citations? Evidence or just vibes?

You'll hate my new post on my blog. Or maybe you'll love it. "This is How They Tell Me Bug Bounty Ends" 😊 Enjoy!

The results are in! We're proud to announce the Top ten web hacking techniques of 2024! portswigger.net/research/top-1…

@SinSinology Beautiful, very well done! 👌🏽

My English has never been good, I tried to translate what I had in my mind and I hope this shows how I feel Every step of this journey was a challenge—long hours, sacrifices, and moments when it felt impossible. But it was all worth it. I’m so proud and honored to have won 1st place at the Pwn2Own 2025 competition! To the amazing @thezdi team: your hard work, care, and passion made this event possible. You didn’t just host a competition—you gave me a chance to dream bigger, work harder, and achieve something great. Thank you for every second of your work and effort! And to God: thank You for being my strength, my guide, and my reason to keep going through the toughest moments. I am forever grateful. 💙🙏

New blog post with @infosec_au: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

Introducing the Cookie Sandwich, a tasty technique to steal HttpOnly cookies using legacy RFC features: portswigger.net/research/steal…

Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! Read it all below 🧵

Research into a unique 0-click deanonymization exploit targeting Signal, Discord and hundreds of platform 🧵

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Neither did we. Enjoy! portswigger.net/research/bypas…

Check out our latest blog post! We dive into GitHub Enterprise’s SAML implementation and explore an authentication bypass in encrypted assertion mode. CVE-2024-4985 / CVE-2024-9487: GitHub Enterprise SAML Authentication Bypass. projectdiscovery.io/blog/github-en…

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips gist.github.com/hackermondev/6…

Attacking UNIX Systems via CUPS, Part I evilsocket.net/2024/09/26/Att…

@evilsocket Beautiful finding and writeup!

Love a good client-side exploit chain! This crazy cross-product chain targeting Google by @rebane2001 is a great example of the type of exploit that gets easier the longer you spend targeting a single company lyra.horse/blog/2024/09/u…

In August, watchTowr Labs hijacked parts of the global .mobi TLD - and went on to discover the mayhem that we could cause. Enjoy.... labs.watchtowr.com/we-spent-20-to…

In April, @samwcyo and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: ian.sh/tsa

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code from 1996

Everyone knows that the RFCs for email addresses are crazy. This post will show without doubt that you should not be following the RFC. portswigger.net/research/split…

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

I recently developed and posted about a technique called "First sequence sync", expanding @albinowax's single packet attack. This technique allowed me to send 10,000 requests in 166ms, which breaks the packet size limitation of the single packet attack. flatt.tech/research/posts…